* Created System->change_apache_password() to update (and enable) Striker's apache user. For now, it simply enables it in httpd.conf, it doesn't actually set/update the password.

Signed-off-by: Digimer <digimer@alteeve.ca>
main
Digimer 7 years ago
parent b8bb781c5e
commit de333704b5
  1. 6
      Anvil/Tools.pm
  2. 162
      Anvil/Tools/System.pm
  3. 3
      anvil.conf
  4. 8
      tools/anvil-change-password

@ -664,6 +664,9 @@ sub _set_defaults
my ($anvil) = shift; my ($anvil) = shift;
$anvil->data->{sys} = { $anvil->data->{sys} = {
apache => {
user => "admin",
},
daemons => { daemons => {
restart_firewalld => 1, restart_firewalld => 1,
}, },
@ -751,6 +754,7 @@ sub _set_paths
'anvil.conf' => "/etc/anvil/anvil.conf", 'anvil.conf' => "/etc/anvil/anvil.conf",
'anvil.version' => "/etc/anvil/anvil.version", 'anvil.version' => "/etc/anvil/anvil.version",
'firewalld.conf' => "/etc/firewalld/firewalld.conf", 'firewalld.conf' => "/etc/firewalld/firewalld.conf",
'httpd.conf' => "/etc/httpd/conf/httpd.conf",
'journald_anvil' => "/etc/systemd/journald.conf.d/anvil.conf", 'journald_anvil' => "/etc/systemd/journald.conf.d/anvil.conf",
'pg_hba.conf' => "/var/lib/pgsql/data/pg_hba.conf", 'pg_hba.conf' => "/var/lib/pgsql/data/pg_hba.conf",
'postgresql.conf' => "/var/lib/pgsql/data/postgresql.conf", 'postgresql.conf' => "/var/lib/pgsql/data/postgresql.conf",
@ -758,6 +762,7 @@ sub _set_paths
}, },
data => { data => {
group => "/etc/group", group => "/etc/group",
htpasswd => "/var/www/home/htpasswd",
host_uuid => "/etc/anvil/host.uuid", host_uuid => "/etc/anvil/host.uuid",
passwd => "/etc/passwd", passwd => "/etc/passwd",
}, },
@ -791,6 +796,7 @@ sub _set_paths
head => "/usr/bin/head", head => "/usr/bin/head",
hostname => "/usr/bin/hostname", hostname => "/usr/bin/hostname",
hostnamectl => "/usr/bin/hostnamectl", hostnamectl => "/usr/bin/hostnamectl",
htpasswd => "/usr/bin/htpasswd",
ifdown => "/sbin/ifdown", ifdown => "/sbin/ifdown",
ifup => "/sbin/ifup", ifup => "/sbin/ifup",
ip => "/usr/sbin/ip", ip => "/usr/sbin/ip",

@ -15,6 +15,7 @@ my $THIS_FILE = "System.pm";
### Methods; ### Methods;
# call # call
# change_apache_password
# change_shell_user_password # change_shell_user_password
# check_daemon # check_daemon
# check_memory # check_memory
@ -186,6 +187,167 @@ sub call
return($output); return($output);
} }
=head2 change_apache_password
This changes the password used to connet to Striker's web interface. If the C<< .htpasswd >> file isn't found, this method will effectively enable the password feature.
The return code will be C<< 255 >> on internal error. Otherwise, it will be the code returned from the C<< passwd >> call.
Parameters;
=head3 new_password (required)
This is the new password to set. The user should be encouraged to select a good (long) password.
=head3 password (optional)
If you are changing the apache password on a remote machine, this is the password used to connect to that machine. If not passed, an attempt to connect with passwordless SSH will be made (but this won't be the case in most instances). Ignored if C<< target >> is not given.
=head3 port (optional, default 22)
This is the TCP port number to use if connecting to a remote machine over SSH. Ignored if C<< target >> is not given.
=head3 remote_user (optional, default root)
If C<< target >> is set and we're changing the password for a remote user, this is the user we B<< log into >> the remote machine as, B<< not >> the user whose password we will change.
=head3 target (optional)
This is the IP address or (resolvable) host name of the target machine whose user account you want to change the password
=head3 user (optional, default 'sys::apache::user' or 'admin')
This is the apache user name to use. If another name existed before in C<< .htpasswd >>, that old user name will be removed.
=cut
sub change_apache_password
{
my $self = shift;
my $parameter = shift;
my $anvil = $self->parent;
my $debug = defined $parameter->{debug} ? $parameter->{debug} : 3;
my $new_password = defined $parameter->{new_password} ? $parameter->{new_password} : "";
my $password = defined $parameter->{password} ? $parameter->{password} : "";
my $port = defined $parameter->{port} ? $parameter->{port} : "";
my $remote_user = defined $parameter->{remote_user} ? $parameter->{remote_user} : $anvil->data->{sys}{apache}{user};
my $target = defined $parameter->{target} ? $parameter->{target} : "";
my $user = defined $parameter->{user} ? $parameter->{user} : "";
my $return_code = 255;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, secure => 0, list => {
user => $user,
target => $target,
port => $port,
remote_user => $remote_user,
new_password => $anvil->Log->secure ? $new_password : "--",
password => $anvil->Log->secure ? $password : "--",
}});
# Set the user to 'admin' if it's not set.
if (not $user)
{
$user = "admin";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, secure => 0, list => { user => $user }});
}
# OK, what about a password?
if (not $new_password)
{
# Um...
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0020", variables => { method => "Systeme->change_apache_password()", parameter => "new_password" }});
return($return_code);
}
# Only the root user can do this!
# $< == real UID, $> == effective UID
if (($< != 0) && ($> != 0))
{
# Not root
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0156", variables => { method => "Systeme->change_apache_password()" }});
return($return_code);
}
# Read httpd.conf and make sure apache is configured for .htpasswd.
my $httpd_conf = $anvil->Storage->read_file({
file => $anvil->data->{path}{configs}{'httpd.conf'},
debug => $debug,
target => $target,
port => $port,
remote_user => $remote_user,
password => $password,
});
if ($httpd_conf eq "!!error!!")
{
# We're done.
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, secure => 0, list => { httpd_conf => $httpd_conf }});
return($return_code);
}
my $rewrite = 0;
my $new_file = "";
my $in_directory = 0;
foreach my $line (split/\n/, $httpd_conf)
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, secure => 0, list => { line => $line }});
if ($in_directory)
{
if ($line =~ /^(\s+)AllowOverride None/i)
{
# We need to update.
my $space = $1;
$rewrite = 1;
$new_file .= $space."AllowOverride AuthConfig\n";
next;
}
elsif ($line eq "</Directory>")
{
$in_directory = 0;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, secure => 0, list => { in_directory => $in_directory }});
}
}
elsif ($line eq '<Directory "/var/www/html">')
{
$in_directory = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, secure => 0, list => { in_directory => $in_directory }});
}
$new_file .= $line."\n";
}
if ($rewrite)
{
# Back it up first.
my $backup_file = $anvil->Storage->backup({
file => $anvil->data->{path}{configs}{'httpd.conf'},
debug => $debug,
target => $target,
port => $port,
remote_user => $remote_user,
password => $password,
});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { backup_file => $backup_file }});
if ($backup_file)
{
# Proceed.
$anvil->Storage->write_file({
body => $new_file,
debug => $debug,
file => $anvil->data->{path}{configs}{'httpd.conf'},
overwrite => 1,
secure => 0,
target => $target,
port => $port,
remote_user => $remote_user,
password => $password,
});
}
}
return($return_code);
}
=head2 change_shell_user_password =head2 change_shell_user_password
This changes the password for a shell user account. It can change the password on either the local or a remote machine. This changes the password for a shell user account. It can change the password on either the local or a remote machine.

@ -79,6 +79,9 @@ sys::database::schema = /usr/sbin/anvil/anvil.sql
# transaction can take and how much memory is used. # transaction can take and how much memory is used.
#sys::database::maximum_batch_size = 25000 #sys::database::maximum_batch_size = 25000
### Apache stuff
#sys::apache::user = admin
# By default, we try to determine the host type using the host name. The rules used for this can be seen in # By default, we try to determine the host type using the host name. The rules used for this can be seen in
# 'perldoc Anvil::Tools::System -> determine_host_type'. If you are using non-standard host names, or for some # 'perldoc Anvil::Tools::System -> determine_host_type'. If you are using non-standard host names, or for some
# other reason want to statically assign the host type, you can do so with this variable. Note that this sets # other reason want to statically assign the host type, you can do so with this variable. Note that this sets

@ -54,7 +54,7 @@ $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure =
if (not $connections) if (not $connections)
{ {
# No databases, exit. # No databases, exit.
print $anvil->Words->string({key => "error_0003"}); print $anvil->Words->string({key => "error_0003"})."\n";
$anvil->nice_exit({exit_code => 2}); $anvil->nice_exit({exit_code => 2});
} }
@ -173,7 +173,13 @@ sub update_local_passwords
print "Updating: [$user] with password: [".$anvil->data->{switches}{'new-password'}."]\n"; print "Updating: [$user] with password: [".$anvil->data->{switches}{'new-password'}."]\n";
$anvil->System->change_shell_user_password({debug => 2, user => $user, new_password => $anvil->data->{switches}{'new-password'}}); $anvil->System->change_shell_user_password({debug => 2, user => $user, new_password => $anvil->data->{switches}{'new-password'}});
} }
### TODO: Put the database into maintenance mode, then check for any known nodes and update their
### password for us.
# Update the database password. # Update the database password.
my $apache_user = $anvil->data->{sys}{apache}{user} ? $anvil->data->{sys}{apache}{user} : "admin";
$anvil->System->change_apache_password({debug => 2, new_password => $anvil->data->{switches}{'new-password'}});
return(0); return(0);
} }

Loading…
Cancel
Save